Sandbox CSS-only build dependencies#1709
Merged
Merged
Conversation
Limits the damage a compromised package in the Autoprefixer/PostCSS/Sass dependency trees can do, for example: malicious CSS output is bad, but not a trivial immediate disaster the way malicious JS or SVG output would be. The Dart Sass version upgrade is included because we’re switching packages anyway. Causes an 18-byte increase in CSS size as a couple of rules are split into multiple ones with the same selector ([Dart Sass 1.92.0][] change to nested selectors interleaved with declarations), and the build output is otherwise unchanged. Esbuild is the only remaining dependency with full-process privileges for now. Increases full build time (`wzl assets --nobuild`) by 10–40% for me, but the difference with `wzl assets-watch` is unnoticeable. [Dart Sass 1.92.0]: https://github.com/sass/dart-sass/blob/main/CHANGELOG.md#1920
For best sandbox effectiveness, we need V8s new enough that our dependencies can’t use public exploits against them, for one. (At least net permission is denied at runtime.) [The Deno Docker images’ build process][1] doesn’t involve any signature check (it downloads the release and its hash from `dl.deno.land`), which is a little disturbing. I’m grateful that the result is a single file, since the zip file appears to have immediate access to execute arbitrary code (extracted in `/`, could contain a +x `usr/local/bin/chmod`) within the same layer where it’s extracted. I was unable to reproduce the binary for `docker.io/denoland/deno:alpine-2.8.1` with the most convenient `patchelf` to hand, so I switched to Debian, which is a step in the glibc direction I had been considering for other reasons anyway – other images to follow (or maybe we can get to distroless). I’ve only verified the amd64 image, and that’s the architecture that the pinned hash corresponds to. (This was a nice way to find out that the Dockerfile syntax now supports specifying both a tag and a hash.) The build process also does the same unverified download of a mutable GitHub tag with tini, so we bypass its tini. On the GitHub side, Deno releases have become immutable and added attestations since 2.3.5, which is a good start. [1]: https://github.com/denoland/deno_docker/blob/3a42f7964cd68395bb95dd39882b3b0e2f436a8a/bin.dockerfile#L14-L23
Reduces the net `wzl assets --nobuild` performance hit from ~40% to ~15%.
fixing cache for non-npm packages for Docker build.
3ad1121 to
5538623
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Involves upgrades to Deno 2.8.1 and Dart Sass 1.100.0. See individual commits for details.